How Safe is that Cloud?

Cloud computing has some strong elements, but be mindful of your legal exposure. Having your business information stored on the cloud does not appear to afford the same legal protection as storing it on your office PC.

IT has a history of latching onto hot trends and buzzwords, and the latest is no different: cloud computing. Let me first say that it’s an exciting concept, but not necessarily a new one. While it has evolved over the years, it’s had a number of names that date back to the early days of IT and MIS. Here’s a few you might have heard in previous decades: application service provider, hosted service provider, network computing, time-sharing, multitenancy. All of these are variations on the same theme – someone else hosts the system or application, the client using the system pays for only the portion they use, without the overhead expense of maintaining the infrastructure.

What may be different this time around is that a few key technology areas have come together, and the cloud is starting to make a lot of sense for businesses of different sizes. What’s different?

Virtualization Innovations: VMWare and their brethren like Hyper-V are allowing companies to host multiple “virtual” servers on one physical machine by taking advantage of processor idle time.

Bandwidth Increase: Internet bandwidth has dropped in price and increased in capacity, so the graphical, audio, and dynamic experience users expect can be realistically delivered remotely; all the way down to having virtual desktops.

From a business perspective there are some great positives to harnessing a cloud computing setup for your company.

Lower equipment costs – there should be less capital outlay for servers and less operating costs on things like electricity and cooling since you are outsourcing the data center.

Dynamic sizing – Assuming you selected a good provider, moving your applications and data to the cloud can give you great freedom to add or subtract computing capacity quickly and easily as your business changes.

Peace of mind – Perhaps one of the biggest headaches for large enterprises and a nearly insurmountable obstacle for smaller operations is setting up disaster recovery. The right cloud environment promises to offer seamless and effortless business continuity in the event of a problem. Effortless for you that is, because all the risk is being borne by the service provider.

What’s not to like? Well there are a few things.

Loss of control and customization – Don’t get me wrong, cloud providers are continuing to add customization capabilities, but at some level you are forced into their perspective of how the environment looks or what it can contain. Don’t expect Google Apps to be hosting your Oracle databases anytime soon, for example.

Risk of hacking – By going with a big name in the cloud computing arena, you are increasing the risk that you are going to be a target for computer hacking. I hedge that by saying that it’s a slight increase that’s probably offset by the (hopefully) more sophisticated security systems used by a professional cloud provider. So let’s call this one a wash – it’s not really a con or pro for cloud computing.

Pricing Model Concerns – Depending on the pricing model used by the provider, scaling up in terms of users or percentage of computing power consumed could be detrimental to your budget.

Legal Concerns – It does not appear that your information stored at a cloud service provider has the same legal protections as documents stored at your place of business.

Wait, what’s that about legal concerns?

[DISCLAIMER: WE ARE NOT ATTORNEYS NOR A LAW FIRM, AND THIS ARTICLE IS NOT INTENDED TO SUBSTITUTE FOR LEGAL ADVICE. YOU ARE HEREBY ADVISED TO SPEAK WITH YOUR ATTORNEY TO DETERMINE THE ACTUAL LEGAL CONDITIONS IN YOUR AREA AND ANY POTENTIAL CONCERNS AS THEY MAY RELATE TO YOUR BUSINESS.]

Essentially, any information stored at a remote provider has less legal protection than that same information stored at your place of business. This is due in part to the Stored Communications Act of 1986.

If the information is stored at your place of business, probable cause and a search warrant are required to enter your establishment to search for and seize the information. You must receive a copy of the search warrant, thus ensuring you know that the search is taking (or has taken) place.

If the information is stored at a remote provider, reasonable suspicion (a lesser legal standard than probable cause) and a subpoena are all that is needed. Prior notice is supposed to be provided so you know the search is taking place, but in practical terms can be delayed indefinitely in 90-day increments.

So what this means is that if you store sensitive information on the cloud, it has less legal protection that it would if stored at your place of business. It can be searched or seized and you wouldn’t have to be notified that this is happening.

You may be thinking “well that’s all well and good, but I’m not doing anything illegal with my business so this doesn’t bother me.” In which case we would reply that we think most businesses aren’t trying to do anything illegal. However, because of this double standard you may want to think twice about placing your sensitive business information up in the cloud. While we at Walker IT Group, LLC strongly feel that the majority of government officials are honorable, we also do not think it’s a reach to think that there’s a possibility of one of your competitors attempting to mislead or coerce the judicial system in order to gain an advantage.

Consider another scenario – let’s say one of your customers, vendors, or employees is under investigation, and your company is drawn into the investigation with subpoenas and warrants served. With your information stored in the cloud you may not even find out that your data was seized. I don’t know about you, but I’m uncomfortable with the idea that potentially my customer list, in-depth financials, negotiated contracts and agreements, trade secrets, or other business documents might become part of the public record without having the opportunity to contest the search or ask for a gag order.

So if your company has decided that cloud computing is something you should be doing or are already doing, what are some of the things you should or could do?

First and foremost, consult your attorney or general counsel to determine what your business should be watching out for.

Scrutinize your cloud computing contracts and agreements. You may want to ask your attorney about making sure the terms around non-disclosure of your information includes some type of prior notice required by the cloud service provider if they are served with a subpoena.

Consider storing very sensitive business information at your place of business only, and not on a cloud service.

Contact your legislator and local chamber of commerce. It is very apparent that the laws have not caught up to how businesses and individuals use technology, and only our elected representatives can really fix that.

Ultimately we believe that cloud computing can offer many benefits to all types of businesses, but it falls on that business to make sure they understand not only the benefits but also the potential drawbacks.